The OpenID light went on today, after a little setup and testing. I can now go to a blog or CMS or discussion board or other service that supports OpenID and type in “birdhouse.org” – no username, no password. Hit Return, and I’m in. If I’ve never been there before, I get standard user-level permissions. If I’ve been there before and an admin has escalated my privs, I’m in as admin. Securely. How is this possible?
Created an ID for myself at MyOpenID (though you could use any OpenID provider). Doing so gave me an identity URL through that provider. But here’s the dirty little OpenID secret that shouldn’t be a secret: The protocol supports “delegation” — by adding a couple of meta lines to the header of any URL you control (the birdhouse.org homepage, in my case), that URL can stand in as your identity URL. So when I typed “birdhouse.org” into a blog that supported OpenID earlier today, it fetched that URI and read its delegation headers. It then knew my “real” identity URL at the provider. The provider was able to determine that I was already logged into their service and pass “true” back to the blog I was trying to access. If I hadn’t been logged into MyOpenID at the time, I would have been prompted to log in there first, as a middle step in a seamless process.
Once authenticated to the blog, which had the WordPress OpenID plugin installed, a user-level account in that blog was created automatically for me. The admin could then escalate my privileges to admin or whatever, and I’d still only need to type “birdhouse.org” to log in there as admin. And you can’t. So there.
Distributed single sign-on works. Totally elegant.
A while back, Six Apart launched TypeKey, a single sign-on mechanism first made available for Movable Type blogs. TK never really took off, for a couple of reasons. First, most blog owners had already discovered that requiring any kind of sign-on had a chilling effect on blog conversation — any barrier to commenting was too high, and tended to stop casual “stopper-by” conversation dead. Second, a lot of people didn’t want to put all their identity eggs in the Six Apart basket, didn’t feel comfortable having a corporation behind the critical task of identity maintenance. That assumption was bogus – TypeKey was always an open API – but a lot of people didn’t feel comfortable with it. TypeKey isn’t dead, but there aren’t many sites using it.
Lots of identity conversation at SXSW this year, with OpenID emerging as the “final” solution to the distributed identity problem. Ended up not attending that panel, but did get to eat sushi with Kaliya “identity is a commons that no one can own” Hamlin, who (by some accounts) is single-handedly responsible for wrangling the monolithic corporate gargoyles (who all wanted to sell the world on their own proprietary silo identity systems and end up falling into the same hole that swallowed TypeKey), tying them up in a room and making them take mushrooms and hug until they agreed to adopt OpenID. Now even AOL is an OpenID provider.
Free love works!